gke-security
Pass
Audited by Gen Agent Trust Hub on Jun 25, 2026
Risk Level: SAFE
Full Analysis
- Security Hardening Defaults: The skill promotes a 'golden path' security posture by default, enforcing features like Workload Identity Federation, Secret Manager integration, and Shielded GKE Nodes.
- Least Privilege Access: Instructions emphasize granting specific IAM roles (e.g.,
roles/container.viewer) and namespace-scoped RBAC roles rather than broad administrative permissions. - Secure Image Usage: Verification steps and assets utilize trusted, well-known images from official registries, including
gcr.io/distroless/staticandgcr.io/google.com/cloudsdktool/cloud-sdk, which reduces the attack surface compared to general-purpose base images. - Network Security Controls: Includes templates for default-deny Network Policies and guidance for Dataplane V2, ensuring network traffic is restricted by default.
- Workload Isolation: Provides guidance on enabling GKE Sandbox (gVisor) for running untrusted workloads in an isolated environment.
- Indirect Prompt Injection Surface: The skill processes Kubernetes resource data and cluster configurations via tools like
get_k8s_resourceandget_cluster. While this represents a standard operational surface, the skill encourages verification and auditing practices to maintain a secure trust chain.
Audit Metadata